Recommendations for Creating Codes of Conduct for Processing Personal Data in Biobanking Based on the GDPR art.40

Personal data protection has become a fundamental normative challenge for biobankers and scientists researching human biological samples and associated data. The General Data Protection Regulation (GDPR) harmonises the law on protecting personal data throughout Europe and allows developing codes of conduct for processing personal data based on GDPR art. 40. Codes of conduct are a soft law measure to create protective standards for data processing adapted to the specific area, among others, to biobanking of human biological material. Challenges in this area were noticed by the European Data Protection Supervisor on data protection and Biobanking and BioMolecular Resources Research Infrastructure–European Research Infrastructure Consortium (BBMRI.ERIC). They concern mainly the specification of the definitions of the GDPR and the determination of the appropriate legal basis for data processing, particularly for transferring data to other European countries. Recommendations indicated in the article, which are based on the GDPR, guidelines published by the authority and expert bodies, and our experiences regarding the creation of the Polish code of conduct, should help develop how a code of conduct for processing personal data in biobanks should be developed.

Download Full-text

Delegation-Based Personal Data Processing Request Notarization Framework for GDPR Based on Private Blockchain

Applied Sciences ◽

10.3390/app112210574 ◽

2021 ◽

Vol 11 (22) ◽

pp. 10574

Author(s):

Sung-Soo Jung ◽

Sang-Joon Lee ◽

Ieck-Chae Euom

Keyword(s):

Data Processing ◽

Data Protection ◽

Data Privacy ◽

Personal Data ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

Compliance Audit ◽

General Data ◽

Data Controller ◽

Data Subject

With the growing awareness regarding the importance of personal data protection, many countries have established laws and regulations to ensure data privacy and are supervising managements to comply with them. Although various studies have suggested compliance methods of the general data protection regulation (GDPR) for personal data, no method exists that can ensure the reliability and integrity of the personal data processing request records of a data subject to enable its utilization as a GDPR compliance audit proof for an auditor. In this paper, we propose a delegation-based personal data processing request notarization framework for GDPR using a private blockchain. The proposed notarization framework allows the data subject to delegate requests to process of personal data; the framework makes the requests to the data controller, which performs the processing. The generated data processing request and processing result data are stored in the blockchain ledger and notarized via a trusted institution of the blockchain network. The Hypderledger Fabric implementation of the framework demonstrates the fulfillment of system requirements and feasibility of implementing a GDPR compliance audit for the processing of personal data. The analysis results with comparisons among the related works indicate that the proposed framework provides better reliability and feasibility for the GDPR audit of personal data processing request than extant methods.

Download Full-text

Privacy Management System for the Purpose of Managing Personal Data Protection Challenges Regarding Monitoring of Employees: Hungary Specific Code of Conduct

SSRN Electronic Journal ◽

10.2139/ssrn.2288137 ◽

2012 ◽

Author(s):

Balazs Ratai

Keyword(s):

Data Protection ◽

Management System ◽

Code Of Conduct ◽

Personal Data ◽

Privacy Management ◽

Personal Data Protection

Download Full-text

Data Protection Impact Assessment (DPIA) for Cloud-Based Health Organizations

Future Internet ◽

10.3390/fi13030066 ◽

2021 ◽

Vol 13 (3) ◽

pp. 66

Author(s):

Dimitra Georgiou ◽

Costas Lambrinoudakis

Keyword(s):

Impact Assessment ◽

Data Protection ◽

Gap Analysis ◽

Health Care Organization ◽

Personal Data ◽

Care Organization ◽

The European Union ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

Compliance Level

The General Data Protection Regulation (GDPR) harmonizes personal data protection laws across the European Union, affecting all sectors including the healthcare industry. For processing operations that pose a high risk for data subjects, a Data Protection Impact Assessment (DPIA) is mandatory from May 2018. Taking into account the criticality of the process and the importance of its results, for the protection of the patients’ health data, as well as the complexity involved and the lack of past experience in applying such methodologies in healthcare environments, this paper presents the main steps of a DPIA study and provides guidelines on how to carry them out effectively. To this respect, the Privacy Impact Assessment, Commission Nationale de l’Informatique et des Libertés (PIA-CNIL) methodology has been employed, which is also compliant with the privacy impact assessment tasks described in ISO/IEC 29134:2017. The work presented in this paper focuses on the first two steps of the DPIA methodology and more specifically on the identification of the Purposes of Processing and of the data categories involved in each of them, as well as on the evaluation of the organization’s GDPR compliance level and of the gaps (Gap Analysis) that must be filled-in. The main contribution of this work is the identification of the main organizational and legal requirements that must be fulfilled by the health care organization. This research sets the legal grounds for data processing, according to the GDPR and is highly relevant to any processing of personal data, as it helps to structure the process, as well as be aware of data protection issues and the relevant legislation.

Download Full-text

Reconciliation of anti-money laundering instruments and European data protection requirements in permissionless blockchain spaces

Journal of Cybersecurity ◽

10.1093/cybsec/tyab004 ◽

2021 ◽

Vol 7 (1) ◽

Author(s):

Iwona Karasek-Wojciechowicz

Keyword(s):

Data Processing ◽

Money Laundering ◽

Data Protection ◽

Task Force ◽

Policy Instruments ◽

Personal Data ◽

General Data Protection Regulation ◽

Terrorist Financing ◽

The Government ◽

High Level

AbstractThis article is an attempt to reconcile the requirements of the EU General Data Protection Regulation (GDPR) and anti-money laundering and combat terrorist financing (AML/CFT) instruments used in permissionless ecosystems based on distributed ledger technology (DLT). Usually, analysis is focused only on one of these regulations. Covering by this research the interplay between both regulations reveals their incoherencies in relation to permissionless DLT. The GDPR requirements force permissionless blockchain communities to use anonymization or, at the very least, strong pseudonymization technologies to ensure compliance of data processing with the GDPR. At the same time, instruments of global AML/CFT policy that are presently being implemented in many countries following the recommendations of the Financial Action Task Force, counteract the anonymity-enhanced technologies built into blockchain protocols. Solutions suggested in this article aim to induce the shaping of permissionless DLT-based networks in ways that at the same time would secure the protection of personal data according to the GDPR rules, while also addressing the money laundering and terrorist financing risks created by transactions in anonymous blockchain spaces or those with strong pseudonyms. Searching for new policy instruments is necessary to ensure that governments do not combat the development of all privacy-blockchains so as to enable a high level of privacy protection and GDPR-compliant data processing. This article indicates two AML/CFT tools which may be helpful for shaping privacy-blockchains that can enable the feasibility of such tools. The first tool is exceptional government access to transactional data written on non-transparent ledgers, obfuscated by advanced anonymization cryptography. The tool should be optional for networks as long as another effective AML/CFT measures are accessible for the intermediaries or for the government in relation to a given network. If these other measures are not available and the network does not grant exceptional access, the regulations should allow governments to combat the development of those networks. Effective tools in that scope should target the value of privacy-cryptocurrency, not its users. Such tools could include, as a tool of last resort, state attacks which would undermine the trust of the community in a specific network.

Download Full-text

Capturing the Basics of the GDPR in a Well-Founded Legal Domain Modular Ontology

10.3233/faia210378 ◽

2021 ◽

Author(s):

Mirna El Ghosh ◽

Habib Abdulrab

Keyword(s):

Data Protection ◽

Legal Reasoning ◽

Conceptual Modeling ◽

Personal Data ◽

Process Ontology ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

Modular Ontology ◽

Legal Domain ◽

Ontology Reuse

The primary goal of the General Data Protection Regulation (GDPR) is to regulate the rights and duties of citizens and organizations over personal data protection. Implementing the GDPR is recently gaining much importance for legal reasoning and compliance checking purposes. In this work, we aim to capture the basics of GDPR in a well-founded legal domain modular ontology named OPPD (Ontology for the Protection of Personal Data). Ontology-Driven Conceptual Modeling (ODCM), ontology layering, modularization, and reuse processes are applied. These processes aim to support the ontology engineer in overcoming the complexity of the legal knowledge and developing an ontology model faithful to reality. ODCM is used for grounding OPPD in the Unified Foundational Ontology (UFO). Ontology modularization and layering aim to simplify the ontology building process. Ontology reuse focuses on selecting and reusing Conceptual Ontology Patterns (COPs) from UFO and the legal core ontology UFO-L. OPPD intends to overcome the lack of a representation of legal procedures that most ontologies encountered. The potential use of OPPD is proposed to formalize the GDPR rules by combining ontological reasoning and Logic Programming.

Download Full-text

Data Sharing Under the General Data Protection Regulation

Hypertension ◽

10.1161/hypertensionaha.120.16340 ◽

2021 ◽

Vol 77 (4) ◽

pp. 1029-1035

Author(s):

Antonia Vlahou ◽

Dara Hallinan ◽

Rolf Apweiler ◽

Angel Argiles ◽

Joachim Beige ◽

...

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

Research Approach ◽

The European Union ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

Protection Legislation ◽

General Data ◽

Almost All

The General Data Protection Regulation (GDPR) became binding law in the European Union Member States in 2018, as a step toward harmonizing personal data protection legislation in the European Union. The Regulation governs almost all types of personal data processing, hence, also, those pertaining to biomedical research. The purpose of this article is to highlight the main practical issues related to data and biological sample sharing that biomedical researchers face regularly, and to specify how these are addressed in the context of GDPR, after consulting with ethics/legal experts. We identify areas in which clarifications of the GDPR are needed, particularly those related to consent requirements by study participants. Amendments should target the following: (1) restricting exceptions based on national laws and increasing harmonization, (2) confirming the concept of broad consent, and (3) defining a roadmap for secondary use of data. These changes will be achieved by acknowledged learned societies in the field taking the lead in preparing a document giving guidance for the optimal interpretation of the GDPR, which will be finalized following a period of commenting by a broad multistakeholder audience. In parallel, promoting engagement and education of the public in the relevant issues (such as different consent types or residual risk for re-identification), on both local/national and international levels, is considered critical for advancement. We hope that this article will open this broad discussion involving all major stakeholders, toward optimizing the GDPR and allowing a harmonized transnational research approach.

Download Full-text

Privacy, security, legal and technology acceptance elicited and consolidated requirements for a GDPR compliance platform

Information and Computer Security ◽

10.1108/ics-01-2020-0002 ◽

2020 ◽

Vol 28 (4) ◽

pp. 531-553 ◽

Cited By ~ 1

Author(s):

Aggeliki Tsohou ◽

Emmanouil Magkos ◽

Haralambos Mouratidis ◽

George Chrysoloras ◽

Luca Piras ◽

...

Keyword(s):

Technology Acceptance ◽

Data Protection ◽

Personal Data ◽

Secondary Process ◽

Multiple Perspectives ◽

Data Governance ◽

Content Type ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

Eu Project

Purpose General data protection regulation (GDPR) entered into force in May 2018 for enhancing personal data protection. Even though GDPR leads toward many advantages for the data subjects it turned out to be a significant challenge. Organizations need to implement long and complex changes to become GDPR compliant. Data subjects are empowered with new rights, which, however, they need to become aware of. GDPR compliance is a challenging matter for the relevant stakeholders calls for a software platform that can support their needs. The aim of data governance for supporting GDPR (DEFeND) EU project is to deliver such a platform. The purpose of this paper is to describe the process, within the DEFeND EU project, for eliciting and analyzing requirements for such a complex platform. Design/methodology/approach The platform needs to satisfy legal and privacy requirements and provide functionalities that data controllers request for supporting GDPR compliance. Further, it needs to satisfy acceptance requirements, for assuring that its users will embrace and use the platform. In this paper, the authors describe the methodology for eliciting and analyzing requirements for such a complex platform, by analyzing data attained by stakeholders from different sectors. Findings The findings provide the process for the DEFeND platform requirements’ elicitation and an indicative sample of those. The authors also describe the implementation of a secondary process for consolidating the elicited requirements into a consistent set of platform requirements. Practical implications The proposed software engineering methodology and data collection tools (i.e. questionnaires) are expected to have a significant impact for software engineers in academia and industry. Social implications It is reported repeatedly that data controllers face difficulties in complying with the GDPR. The study aims to offer mechanisms and tools that can assist organizations to comply with the GDPR, thus, offering a significant boost toward the European personal data protection objectives. Originality/value This is the first paper, according to the best of the authors’ knowledge, to provide software requirements for a GDPR compliance platform, including multiple perspectives.

Download Full-text

Changing Mobility Lifestyle

International Journal of E-Planning Research ◽

10.4018/ijepr.20210401.oa6 ◽

2021 ◽

Vol 10 (2) ◽

pp. 66-79

Author(s):

Vít Pászto ◽

Jaroslav Burian ◽

Karel Macků

Keyword(s):

Data Processing ◽

Data Protection ◽

Personal Data ◽

Detailed Data ◽

Real Motion ◽

The Real ◽

Location Service ◽

Motion Data ◽

Personal Data Protection ◽

Analytical Processing

The article is focused on a detailed micro-study describing changes in the behaviour of the authors in three months before and during the COVID-19 pandemic. The study is based on data from Google Location Service. Despite the fact it evaluates only three people and the study cannot be sufficiently representative, it is a unique example of possible data processing at such a level of accuracy. The most significant changes in the behaviour of authors before and during the COVID-19 quarantine are described and interpreted in detail. Another purpose of the article is to point out the possibilities of analytical processing of Google Location while being aware of personal data protection issues. The authors recognize that by visualizing the real motion data, one partially discloses their privacy, but one considers it very valuable to show how detailed data Google collects about the population and how such data can be used effectively.

Download Full-text

The State Archives of the Republic of Macedonia: Use of Archival Material and Data Protection Pursuant to the Law on Personal Data Protection and the General Data Protection Regulation

Atlanti ◽

10.33700/2670-451x.28.2.91-98(2018) ◽

2018 ◽

Vol 28 (2) ◽

pp. 91-98

Author(s):

Svetlana Usprcova

Keyword(s):

Data Protection ◽

Personal Data ◽

The State ◽

General Data Protection Regulation ◽

Archival Material ◽

Personal Data Protection ◽

Republic Of Macedonia ◽

Other Information ◽

The Republic ◽

State Archives

The aim of this paper is to explain the position of the State Archives of the Republic of Macedonia as guardian of the archival material, which is a subject of use for scientific, academic, administrative, public, publishing, exhibition and other purposes. In the process of use of the archival material, the archivists must be very careful in order to protect confidential, sensitive, legal and other information contained in the archival material, and take some measures in relation to the personal data protection. Herein, the author, also talks about the current Law on personal data protection and the harmonisation of the national law with the European legislation.

Download Full-text

GDPR implementation as the main reason for the regional fragmentation in the online mediasphere

E3S Web of Conferences ◽

10.1051/e3sconf/202127308099 ◽

2021 ◽

Vol 273 ◽

pp. 08099

Author(s):

Mikhail Smolenskiy ◽

Nikolay Levshin

Keyword(s):

European Union ◽

Data Protection ◽

Personal Data ◽

Main Role ◽

The European Union ◽

Protection Measures ◽

General Data Protection Regulation ◽

Personal Data Protection ◽

The Usa ◽

General Data

The EU’s General Data Protection Regulation (GDPR) applies not only to the territory of the European Union, but also to all information systems containing data of EU’s citizens around the world. Misusing or carelessly handling personal data bring fines of up to 20 million euros or 4% of the annual turnover of the offending company. This article analyzes the main trends in the global implementation of the GDPR. Authors considered and analyzed results of personal data protection measures in nineteen regions: The USA, Canada, China, France, Germany, India, Kazakhstan, Nigeria, Russia, South Korea and Thailand, as well as the European Union and a handful of other. This allowed identifying a direct pattern between the global tightening of EU’s citizens personal data protection and the fragmentation of the global mediasphere into separate national segments. As a result of the study, the authors conclude that GDPR has finally slowed down the globalization of the online mediasphere, playing a main role in its regional fragmentation.

Download Full-text